Payments Blog • 4 MIN READ

PCI Compliance and Protecting Customer Data

Jamie Pearson

Written by Jamie Pearson

Data breaches are becoming all too common. It seems almost daily another serious breach is publicized in the media. It's now nearly impossible to keep them a secret, the damage to reputations and brands can be irreparable.

Behind the scenes, credit card companies are taking constant steps to protect cardholder data. Subsequent versions of compliance standards have become stricter to combat fraud. Banks also have to get audited every few years to ensure they're still meeting all those standards. It can really drive up the cost of running a payments system.

In fact, one of the trends we're seeing as a result of increased costs is the move towards hosted payment environments. Smaller institutions that used to run their own payment systems are now choosing to trust a service provider. That way, the compliance obligations can be taken care of by the provider and the bank only needs to pay a monthly subscription fee. The decision comes down to a direct comparison of operational expenditure versus capital expenditure. It's much easier to trust a service provider instead of taking on those obligations themselves.

We've all heard about different applications moving to the cloud. It's a shift for everyone, but it's definitely a trend we're observing in the payments arena. It makes sense, especially for small institutions that can get access to the same setup as larger institutions. It's better to pay for what they use instead of paying the large cost of setting up the whole infrastructure. The end result is the same setup at a much more reasonable price.

How Vendors Protect Customer Data

Applications that process transactions must protect cardholder information - without any leaks. Prognosis for Payments is more of a monitoring application, so it doesn't strictly qualify as a payment processing application. Even so, we still have to provide guidance to our customers about how our product meets the requirements of PCI DSS. (This is the standard banks get audited against).

Even though we don't strictly have to get audited for these requirements, we find ourselves in a knowledgeable position since we regularly provide advice to major banks. We closely investigate changes to the latest standards and update our guidance to customers on a regular basis. It's actually a very complex environment, involving the coordination of many different tools, to ensure obligations are being met.

Protecting the integrity of cardholder data often comes down to closely monitoring access to the systems. Obviously, credit card information has to be made available to people inside the bank to allow them to do their job. You also have to track who has access to that data. Whenever the data is sent across networks, it must be encrypted and logged.

Manually capturing all that data from systems is incredibly difficult. You have to make sure that all software changes are tracked. That involves scrubbing the security and audit logs to make sure that every access to the system is recorded. It also involves making sure the system is secured so unauthorized attempts are being tracked as well.

One of the most important steps you can take is to partner with vendors who understand these issues and keep on top of changing standards. It's optimistic to think there would be a single vendor that could solve all your issues. However, if you look at the tools that can help make the job easier, you'll be ahead of the game. The cost to keep your environment up to standards and auditing obligations is high enough already. Smart organizations closely look at the tools to help ease that cost.

Topics: Payments Service Provider

Subscribe to our blog

Stay up to date with the latest
Communications, Payments and HP Nonstop
industry news and expert insights from IR.

We're committed to your privacy. IR uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our privacy policy.